>>>>> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
Turbo> Since I've separated AUTHENTICATION and AUTHORIZATION,
Turbo> there's no need for an LDAP/slapd keytab...
Then you have a security hole.
Take a look at the following text from section 10 of RFc 4120:
Proper decryption of an KRB_AS_REP message from the KDC is not
sufficient for the host to verify the identity of the user; the user
and an attacker could cooperate to generate a KRB_AS_REP format
message that decrypts properly but is not from the proper KDC. To
authenticate a user logging on to a local system, the credentials
obtained in the AS exchange may first be used in a TGS
exchange to
obtain credentials for a local server. Those credentials
must then
be verified by a local server through successful
completion of the
Client/Server exchange.
In particular just doing a kinit does not actually verify that the
password is correct; it simply verifies the passwords typed at the
command line and used by the server claiming to be the KDC are the
same. You need a keytab to confirm the KDC is really a KDC.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
